greenshire
asked on
RPC - HTTPS Exchange config problem
Windows 2003 LAN; DC and EXCHANGE on separate boxes; no separate front-end Exchange.
Configured everything according to:
http://www.amset.info/exchange/rpc-http-server.asp
outlook /rpcdiag shows that we are NOT connecting over https, even in the LAN
https://mail.domain.com/rpc prompts for credentials WITHOUT a certificate error, so we believe the certificate is doing just fine.
On exchange, the rpcproxy \ Validports registry entry (names have been changed to protect the innocent):
exchange:100-5000;exchange :6001-6002 ;exchange. domain.com :6001-6002 ;dc:6001-6 002;dc.dom ain.com:60 01-6002;ex change:600 4;exchange .domain.co m:6004;dc: 6004;dc.do main.com:6 004;mail.d omain.com: 6001-6002; mail.domai n.com:6004 ;dc:593;dc .domain.co m:593;exch ange:593;e xchange.do main.com:5 93;mail.do main.com:5 93
mail.domain.com is external name
exchange and exchange.domain.com are internal names
(note domain.com is the same internal and external, but shouldn't be a problem to get internal working)
Had trouble with this reg entry until I found "rpccfg /hd" which helped identify an extra semi-colon.
rpccfg /hd works now with expected results. Not sure though whether this box would still need a restart for the registry change to 'take' otherwise when rpccfg /hd yields the expected results.
I'm thinking the next steps are troubleshooting using rpcping
Not sure the switches that would be best to use, but running from a client I get:
Exception 5 (0x00000005)
running it on the server I get:
Completed 1 calls in 1 ms
1000 T/S or 1.000 ms/T
Please HELP!
Configured everything according to:
http://www.amset.info/exchange/rpc-http-server.asp
outlook /rpcdiag shows that we are NOT connecting over https, even in the LAN
https://mail.domain.com/rpc prompts for credentials WITHOUT a certificate error, so we believe the certificate is doing just fine.
On exchange, the rpcproxy \ Validports registry entry (names have been changed to protect the innocent):
exchange:100-5000;exchange
mail.domain.com is external name
exchange and exchange.domain.com are internal names
(note domain.com is the same internal and external, but shouldn't be a problem to get internal working)
Had trouble with this reg entry until I found "rpccfg /hd" which helped identify an extra semi-colon.
rpccfg /hd works now with expected results. Not sure though whether this box would still need a restart for the registry change to 'take' otherwise when rpccfg /hd yields the expected results.
I'm thinking the next steps are troubleshooting using rpcping
Not sure the switches that would be best to use, but running from a client I get:
Exception 5 (0x00000005)
running it on the server I get:
Completed 1 calls in 1 ms
1000 T/S or 1.000 ms/T
Please HELP!
Have you made the registry change on the domain controller?
Simon.
Simon.
ASKER
Annoying, this feature either works or it doesn't.
In my experience it comes down to one of three things wrong.
1. SSL certificate errors.
2. Authentication settings.
3. Registry settings.
On the authentication issue, in IIS Manager find the /rpc virtual directory and ensure that just integrated and basic authentication is enabled. It should not have anonymous or anything else enabled.
The registry settings are easily broken by a single ; in the wrong place. I will often rip the entire set out and replace them to ensure that it is set correctly.
Simon.
In my experience it comes down to one of three things wrong.
1. SSL certificate errors.
2. Authentication settings.
3. Registry settings.
On the authentication issue, in IIS Manager find the /rpc virtual directory and ensure that just integrated and basic authentication is enabled. It should not have anonymous or anything else enabled.
The registry settings are easily broken by a single ; in the wrong place. I will often rip the entire set out and replace them to ensure that it is set correctly.
Simon.
ASKER
SSL is working because we can get the prompt for credentials without certificate warnings.
I verified that IIS virtual directory is configured correctly, specifically integrated and basic authen.
rpccfg on exchange shows me that the registry is taking:
C:\>rpccfg /hd
Server Name Port Settings
-------------------------- ---------- ---------- ---------- ---------- ----
dc 593 6001-6002 6004
dc.domain.com 593 6001-6002 6004
exchange 100-5000 593 6001-6002 6004
exchange.domain.com 593 6001-6002 6004
mail.domain.com 593 6001-6002 6004
Now the rpccfg only showed me that the registry settings worked as of a change I made yesterday. Might the server still need a reboot for those ports to actually work (not just for the rpccfg utility)?
What else can I use to test where this might be broken?
I verified that IIS virtual directory is configured correctly, specifically integrated and basic authen.
rpccfg on exchange shows me that the registry is taking:
C:\>rpccfg /hd
Server Name Port Settings
--------------------------
dc 593 6001-6002 6004
dc.domain.com 593 6001-6002 6004
exchange 100-5000 593 6001-6002 6004
exchange.domain.com 593 6001-6002 6004
mail.domain.com 593 6001-6002 6004
Now the rpccfg only showed me that the registry settings worked as of a change I made yesterday. Might the server still need a reboot for those ports to actually work (not just for the rpccfg utility)?
What else can I use to test where this might be broken?
A reboot technically shouldn't be required.
However if you find that it isn't working, then there is no harm in rebooting the server to see if the changes therefore "take". As I put above, this feature either works or it doesn't, and when it doesn't, trying to find why is very difficult.
Simon.
However if you find that it isn't working, then there is no harm in rebooting the server to see if the changes therefore "take". As I put above, this feature either works or it doesn't, and when it doesn't, trying to find why is very difficult.
Simon.
ASKER
While I am waiting for the opportunity to reboot, what can I test to rule out problems and how? All three breakpoints that you mentioned above seem to be in order.
There isn't a lot else that you can do. It either works or it doesn't. Until you can reboot you will not know whether that will be the fix or not.
Simon.
Simon.
ASKER
OK, reboot availed nothing new.
tried switching to the other DC, same result.
I tried the rpcping utility and rpc seems to be functioning at one level, but when I start using some of the switches for the rpcping command, it starts throwing errors.
What else can we try to identify where the problem is?
tried switching to the other DC, same result.
I tried the rpcping utility and rpc seems to be functioning at one level, but when I start using some of the switches for the rpcping command, it starts throwing errors.
What else can we try to identify where the problem is?
Remove everything and start again. I have done that on more than one occasion. Remove the RPC Proxy service and then reinstall it and do the registry settings from scratch. You start going round in circles otherwise.
Simon.
Simon.
ASKER
I called Microsoft. We removed the rpcproxy service and re-added, but no change.
The symptoms when we browsed the rpcproxy.dll pointed the technician to the web service extensions. We manually ripped out the 'required files' entry there and entered the path to the dll on level deeper, into the system32/rpcproxy folder instead of just the system32 folder. It now works wonderfully!
The symptoms when we browsed the rpcproxy.dll pointed the technician to the web service extensions. We manually ripped out the 'required files' entry there and entered the path to the dll on level deeper, into the system32/rpcproxy folder instead of just the system32 folder. It now works wonderfully!
ASKER
Our resolution can be found within this kb artilce - http://support.microsoft.com/kb/919092
STEP 2 was our solution.
thank you for your help!
STEP 2 was our solution.
thank you for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
C:\>rpcping -s churchill
Completed 1 calls in 16 ms
62 T/S or 16.000 ms/T